8.18 Security Mode Control

25.4133GPPRelease 17TSUTRAN Iu interface Radio Access Network Application Part (RANAP) signalling

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

8.18.1 General

The purpose of the Security Mode Control procedure is to pass ciphering and integrity mode information to the UTRAN. The UTRAN uses this information to select and load the encryption device for user and signalling data with the appropriate parameters, and also to store the appropriate parameters for the integrity algorithm. The procedure uses connection oriented signalling.

8.18.2 Successful Operation

Figure 19: Security Mode Control procedure. Successful operation.

The CN initiates the procedure by sending a SECURITY MODE COMMAND message. The message may contain the Encryption Information IE and shall contain the Integrity Protection Information IE, specifying, in preferred order with the most preferred first in the list, which ciphering, if any, and integrity protection algorithms may be used by the UTRAN.

The Permitted Encryption Algorithms IE within the Encryption Information IE may contain "no encryption" within an element of its list in order to allow the RNC not to cipher the respective connection. This can be done either by not starting ciphering or by using the UEA0 algorithm. In the absence of the Encryption Information group IE in SECURITY MODE COMMAND message, the RNC shall not start ciphering.

Upon reception of the SECURITY MODE COMMAND message, the UTRAN shall internally select appropriate algorithms, taking into account the UE/UTRAN capabilities. If a signalling connection already exists towards the other core network domain and integrity has been started, the same ciphering and integrity alternatives as being used for that core network domain shall be selected. If a signalling connection already exists towards the other core network domain and the Security Mode Control procedure is ongoing on that core network domain, the same ciphering and integrity alternative shall be selected for the two domains. This means in particular for encryption that if "no encryption" or no Encryption Information IE has been received from the first core network domain and integrity has been started but ciphering has not been started, ciphering shall also not be started for the second core network domain. The UTRAN shall then trigger the execution of the corresponding radio interface procedure and, if applicable, start/restart the encryption device and also start/modify the integrity protection.

The CN may send a SECURITY MODE COMMAND message towards the RNC also when integrity protection and possibly ciphering has already been started for an existing signalling connection towards that core network domain. This may be used to activate new integrity protection and ciphering keys. The included integrity protection and ciphering information shall then support (at least) the integrity protection alternative and the ciphering alternative presently being used and the Key Status IE shall have the value "New".

When the execution of the radio interface procedure is successfully finished, the UTRAN shall return a SECURITY MODE COMPLETE message to the CN. This message shall include the Chosen Integrity Protection Algorithm IE and may include the Chosen Encryption Algorithm IE.

The Chosen Encryption Algorithm IE shall be included in the SECURITY MODE COMPLETE message if, and only if the Encryption Information IE was included in the SECURITY MODE COMMAND message.

The set of permitted algorithms specified in the SECURITY MODE COMMAND message shall remain applicable for subsequent RAB Assignments and Intra-UTRAN Relocations.

In case of a UE with Radio Access Bearers towards both core networks, the user data towards CS shall always be ciphered with the ciphering key received from CS and the user data towards PS with the ciphering key received from PS. The signalling data shall always be ciphered with the last received ciphering key and integrity protected with the last received integrity protection key from any of the two CNs.

8.18.3 Unsuccessful Operation

Figure 20: Security Mode Control procedure. Unsuccessful operation.

If the UTRAN or the UE is unable to support the ciphering and/or integrity protection algorithms specified in the SECURITY MODE COMMAND message, then the UTRAN shall return to the CN a SECURITY MODE REJECT message with cause value "Requested Ciphering and/or Integrity Protection Algorithms not Supported". If the radio interface Security Mode Control procedure fails, a SECURITY MODE REJECT message shall be sent to the CN with cause value "Failure in the Radio Interface Procedure".

8.18.4 Abnormal Conditions

If, when establishing a signalling connection towards a second core network domain, the integrity has already been started by the first domain and the integrity protection and ciphering information specified in the SECURITY MODE COMMAND message does not support the integrity protection alternative and the ciphering alternative presently being used, a SECURITY MODE REJECT message shall be sent to the second core network domain with cause value "Conflict with already existing Integrity protection and/or Ciphering information".

If, upon reception of a SECURITY MODE COMMAND message from a core network domain with an already existing signalling connection from that core network domain and for which integrity protection and possibly ciphering have already been started, the Key Status IE has the value "Old", a SECURITY MODE REJECT message shall be returned with cause value "Conflict with already existing Integrity protection and/or Ciphering information".

If, upon reception of a SECURITY MODE COMMAND message from a core network domain with an already existing signalling connection and for which integrity protection and possibly ciphering have already been started, the included integrity protection and ciphering information does not support the integrity protection alternative and the ciphering alternative presently being used, a SECURITY MODE REJECT message shall be returned with cause value "Conflict with already existing Integrity protection and/or Ciphering information".